Crypto Platform Bitrefill Hit by Lazarus-Linked Hack as Funds Drained and 18,500 Records Exposed

A major cybersecurity breach has struckspan>Bitrefill/span>, exposing vulnerabilities in one of the crypto sector’s most established payment platforms and raising fresh concerns about state-linked hacking operations targeting digital assets.

The company confirmed that a sophisticated attack earlier this month resulted in drained corporate funds and the exposure of sensitive customer data, in an incident it says bears “strong similarities” to operations associated with thespan>Lazarus Group/span>. The group, widely believed to be backed by North Korea, has been tied to some of the largest cryptocurrency thefts in recent years.

According to Bitrefill’s internal report, the breach began on March 1 when attackers compromised an employee device and obtained a legacy login credential. What followed was a calculated escalation. Using that initial access point, the attackers navigated deeper into the company’s infrastructure, extracting production secrets and gaining elevated privileges that eventually allowed them to reach parts of its database and crypto wallets.

The intrusion was not immediately obvious. It was only after unusual purchasing patterns emerged within supplier transactions that Bitrefill detected the breach. By then, attackers had already exploited weaknesses in the company’s gift card inventory systems and supply chain integrations, alongside siphoning funds from wallets.

“Getting hit by a sophisticated attack sucks (a lot)… But we survived,” the company stated, reflecting both the severity of the breach and its efforts to contain the damage.

In total, around 18,500 purchase records were affected. The compromised data includes customer email addresses, cryptocurrency payment details, and metadata such as IP addresses. In roughly 1,000 cases, transactions involving identity-linked products also included customer names. While those names were encrypted, Bitrefill acknowledged the possibility that they could be exposed if encryption keys were accessed during the attack.

Notably, the company emphasized that core customer assets remained secure. Gift cards, account balances, and store credits were not impacted, and sensitive identity verification data was not stored internally. Bitrefill operates with minimal mandatory know-your-customer requirements, and any additional verification data is handled by third-party providers.

Security investigators identified multiple indicators pointing toward Lazarus-linked activity, including overlaps in malware behavior, blockchain transaction tracing patterns, and reused digital infrastructure such as IP addresses and email accounts. The attack also showed signs consistent with operations tied to Bluenoroff, a subgroup often associated with financially motivated cyber campaigns.

Despite the scale of the breach, Bitrefill has moved quickly to stabilize operations. The company temporarily shut down its systems to contain the intrusion and has since restored key services, including payments, inventory management, and customer account access. It reports that transaction volumes have already returned to pre-incident levels.

Financially, Bitrefill plans to absorb the losses using its own capital, a move likely aimed at preserving user trust in an industry where confidence can erode rapidly after security failures.

Looking ahead, the company is implementing a series of reinforced security measures. These include stricter access controls, expanded penetration testing, improved monitoring systems, and automated shutdown protocols designed to respond faster to future threats.

The incident underscores a broader reality facing the crypto industry: as adoption grows, so does its appeal to highly organized cyber actors. Even established platforms are not immune, and resilience now depends as much on response and recovery as it does on prevention.